The Revocation Server was Offline

Author by Shannon Fritz

I was working on some stuff in my lab today and had problems getting Hyper-V Replica to work. It was complaining something about it not being able to verify the certificate because the “The revocation function was unable to check revocation because the revocation server was offline. 0x80092013.

clip_image001_thumb[3]

I went on the Issuing CA and noticed that the “Certificate Authority” service was stopped and if I tried to start it I would get an Event ID 48 Warning and an Event ID 100 Error with the same message, that it couldn’t check the CRL.

Revocation status for a certificate in the chain for CA certificate 0 for techrede-PKIISSUE-CA could not be verified because a server is currently unavailable.  The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).  Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  techrede-PKIISSUE-CA The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

It was weird because the CRL was online and available… but then it occurred to me that I’m using a two-tier PKI in the lab, and it’s been a while since I set this thing up. In fact it had been about 6 months, and I had never republished the CRL from the Offline Root CA. This ended up being the cause of the problem because by default, the CRL expires 6 months (26 weeks) after issue.

What I needed to do was boot up my Root CA and run “certutil -crl" which generated a new PKIROOT-CA.crl file in C:\Windows\system32\certsrv\certenroll\ (the filename will vary, based on the name of your CA). I then copied that file to my Online Issuing CA since that server is also where the CRL happens to be hosted, so I put the file in the folder that is publishing the CRL via http, overwriting the existing (and expired) .crl file. After that I was able to start the “Certificate Authority” service.

Once the CA was back online, things with Hyper-V Replica started working fine again.

N’joy.

Author

Shannon Fritz

Infrastructure Architect & Server Team Lead